Inherited Assignments

Most real Azure access doesn't come from direct role assignments. It comes from being a member of an Azure AD group that holds a role. Role Assignments unifies both kinds of access on each principal's detail panel and labels which is which.

Direct vs. Inherited

Definitions

Direct: The role was assigned to this exact principal. Applies to users, groups, and service principals.
Inherited: The role was assigned to an Azure AD group that this user or service principal is a member of. Includes nested-group membership.

Both kinds appear together on the principal's Access Details panel. To audit only one kind, use the Source filter in the page header (see Filters & Sort).

Reading an Inherited Card

Inherited assignments carry a purple Inherited badge next to the role badge, and the card includes an Inherited via row naming the Azure AD group whose membership grants the role.

Trace revocation back to the right place

For an inherited assignment, removing the user from the named group is what revokes the access, not editing the assignment itself. Use the Inherited via name to find the group in Azure AD.

Nested Groups

Group membership is resolved transitively: if a user is in Group A, and Group A is a member of Group B, and Group B holds a role assignment, the user shows up with that assignment as inherited. The Inherited via row names the group that directly holds the assignment (in this case Group B), not every intermediate group on the chain.

← Previous: Filters & Sort Next: Troubleshooting →

Inherited Assignments

On This Page

Direct vs. Inherited

Reading an Inherited Card

Nested Groups